Senate warned of private sector ‘spying’

Private companies could swap sensitive customer information under a loophole in Canada’s new digital privacy law, witnesses told the Senate.

Disclosure of customer data to police under C-13, dubbed the cyber-bullying bill, has caught the majority of media attention. But a sister piece of legislation also rewrites Canada’s privacy laws in controversial new ways.

Bill S-4, the Digital Privacy Act, dictates how and when companies can share private customer data.

The bill allows for companies to gather and share information on customers without their consent if the company suspects a law or agreement has been broken.

“The exemption quite simply allows private sector spying on consumers without any oversight whatsoever,” said Geoffrey White, counsel for the Public Interest Advocacy Centre, to a Senate committee last week.

University of Ottawa law professor Michael Geist told the committee that the bill will “expand the possibility of warrantless disclosure to anyone, not just law enforcement.”

One concern raised is that the bill will open up Canada to copyright trolling. The scenario could involve a record label asking an Internet service provider for a list of all customers who may have illegally downloaded music.

Under the bill, the telecom would not be forced to provide such information. But they could do so voluntarily if they feel they have grounds.

John Lawford, executive director at the Public Interest Advocacy Centre, told the Senate the disclosure provision is “unnecessarily broad and would permit disclosure without consent in broad circumstances.”

S-4 and C-13 started as one overhaul of Canada’s privacy laws, though they were split into two pieces of legislation before being tabled.

S-4 does contain sections that have been widely supported, including by the office of the privacy commissioner of Canada.

One section says consent of a customer is only valid if a person can reasonably be expected to understand the contract they are signing. Another section expands the amount of time the privacy office has to lay charges under a breach of privacy laws from 45 days to one year.

Other well-meaning motions miss the mark, witnesses have told the Senate.

The centrepiece of the legislation surrounds database breaches. Under S-4, a company must report security breaches of private data to its customers and the privacy commissioner. Failing to do so could result in a $100,000 fine.

But disclosure is only necessary if the company believes the breach “creates a real risk of significant harm to an individual.”

Some witnesses told the Senate committee this threshold is too vague and subjective, and will lead to companies keeping security breaches quiet. The Public Interest Advocacy Centre argued all security breaches should be disclosed to the privacy commissioner.

However, the privacy office said if this happened, it would be flooded with disclosures of often trivial breaches. The Canadian Bar Association argued that the threshold should be lowered from significant harm to material security breaches.